Q: What does the G stand for in 1G, 2G, 2.5G, and 3G mobile wireless technolo- gies? A: It stands for generation and the use of it implies the evolutionary process that mobile wireless is going through. Q: What are the primary reasons that service providers use a Wireless Local Loop (WLL)? A: The primary reasons are speed of deployment, deployment where wireline tech- nologies are not practical, and finally, for the avoidance of the local exchange carrier’s network and assets. Q: Why is digital transmission better than analog in mobile wireless technologies? A: Digital transmissions can be reconstructed and amplified easily, thus making it a cleaner or clearer signal.Analog signals cannot be reconstructed to their original state. Q: Why does fog and rain affect optical links so much? A: The tiny water particles act as tiny prisms that fracture the light beam and mini- mize the power of the signal. Q: What is the difference between an ad-hoc network and an infrastructure net- work? A: Ad-hoc networks are ones where a group of network nodes are brought together dynamically, by an Access Point (AP), for the purpose of communicating with each other. An infrastructure network serves the same purpose but also provides connectivity to infrastructure such as printers and Internet access. www.syngress.com 258 Chapter 7 • Wireless Network Architecture and Design Frequently Asked Questions The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www.syngress.com/solutions and click on the “Ask the Author” form. Q: Several customers want me to give them up-front costs for designing and installing a network. When is the most appropriate time to commit to a set price for the job? A: Try to negotiate service charges based on deliverables associated with each phase of the design process. In doing so, you allow the customer to assess the cost prior to entering into the next phase of the design. Q: I’m very confused by all the different home network standards. Is there any way that I can track several of the different home networking standards from a single unbiased source? A:Yes.There are several means of tracking various home network standards and ini- tiatives. For comprehensive reports in the home network industry, I would sug- gest contacting Parks Associates at www.parksassociates.com.The Continental Automated Buildings Association (CABA) at www.caba.org is another good source for learning about home network technologies from a broad and unbi- ased perspective. Q: I am trying to create a design of a wireless campus network and I keep finding out new information, causing me to change all of my work. How can I prevent this? A: If you have done a thorough job in the planning phase you should already have identified all of the requirements for the project. Once you identify all of the requirements, you need to meet with the client and make sure that nothing was overlooked. www.syngress.com Wireless Network Architecture and Design • Chapter 7 259 Monitoring and Intrusion Detection Solutions in this chapter: ■ Designing for Detection ■ Defensive Monitoring Considerations ■ Intrusion Detection Strategies ■ Conducting Vulnerability Assessments ■ Incident Response and Handling ■ Conducting Site Surveys for Rogue Access Points Chapter 8 261  Summary  Solutions Fast Track  Frequently Asked Questions Introduction Network monitoring and intrusion detection have become an integral part of net- work security.The monitoring of your network becomes even more important when introducing wireless access, because you have added a new, openly available entry point into your network. Security guards patrol your building at night. Even a small business, if intent on retaining control of its assets, has some form of security system in place—as should your network. Monitoring and intrusion detection are your security patrol, and become the eyes and ears of your network, alerting you to potential vulnerabilities, and intrusion attempts. Designing secure wireless networks will rely on many of the standard security tools and techniques but will also utilize some new tools. In this chapter, you’ll learn about the planning and deployment issues that must be addressed early on in order to make monitoring and intrusion detection most effective when the system is fully operational. You’ll also learn how to take advantage of current intrusion principles, tools, and techniques in order to maximize security of your wireless network. Specialized wire- less tools such as NetStumbler and AirSnort will also be used to provide a better overall picture of your wireless security. Intrusion Prevention (IP) systems may offer an additional layer to detection. We’ll discuss the pros and cons of their use, and their relationship to conventional intrusion detection.You’ll also learn how to respond to incidents and intrusions on a wireless network, as well as conduct site surveys to identify the existence of rogue Access Points (APs). Designing for Detection In this section, we will discuss how to design a wireless network with an emphasis on monitoring, focusing on the choice of equipment, physical layout and radio interference.The decision-making involved in the design, deployment, and installa- tion of a wireless local area network (WLAN), combined with the choice of product vendor, can play a key role in later efforts to monitor the network for intrusions. Designing for detection occurs when you build a network with monitoring and intru- sion detection principles in mind from the start. For example, when a bank is built, many of the security features, such as the vault security modules, closed circuit cam- eras, and the alarm are part of the initial design. Retrofitting these into a building would be much more expensive and difficult than including them in the beginning. The same idea is true with a network. Designing your network for detection, having www.syngress.com 262 Chapter 8 • Monitoring and Intrusion Detection www.syngress.com made the decisions about monitoring strategies and the infrastructure to support them, will save you time and money in the long run. If you’ve followed the design and configuration advice given in this book, you should be able to identify certain false alarms. Knowledge of your building’s layout and physical obstacles, as discussed earlier, will strengthen your ability to identify red herrings. Additionally, understanding sources of radio interference and having an idea of the limits of your network signal can also help avoid potential headaches from false alarms and misleading responses when patrolling the network for intruders. Keeping these points in mind, laying out your wireless network for the most appro- priate detection should be no problem. Starting with a Closed Network The choice of vendor for your wireless gear can dramatically alter the visible foot- print of your wireless network. After an Access Point is installed, it will begin emit- ting broadcasts, announcing, among other things, its Service Set Identifier (SSID). This is a very useful function for clients to be able to connect to your network. It makes discovery and initial client configuration very easy, and quick.The ease of contact, however, has some security implications.The easily available nature of the network is not only available for your intended users, but for anyone else with a wireless card.The easier any system is to find, the easier it is to exploit. In order to counteract some of the troubles with openly available and easily dis- coverable wireless networks, some vendors have developed a system known as closed network.With closed network functionality enabled, the wireless AP no longer broadcasts its SSID to the world; rather it waits for a client to connect with the proper SSID and channel settings.This certainly makes the network more difficult to find, as programs such as NetStumbler and dstumbler will not see it.The network is now much more secure, because it is much more difficult for an attacker to compro- mise a network he or she can’t see.The potential disadvantage, however, is that clients must now know the SSID and settings of your network in advance in order to connect.This process can be difficult for some users, as card configuration will be required. From a security standpoint, however, a closed network system is the ideal foundation from which to begin designing a more secure wireless network solution. A closed network-capable AP is recommended for all but those who wish to have an openly available wireless network (in such a scenario, security concerns are generally not primary). Monitoring and Intrusion Detection • Chapter 8 263 Ruling Out Environmental Obstacles Another important design consideration is the physical layout. A knowledge of the obstacles you are designing around is vital for determining the number of APs that will be required to provide adequate coverage for your wireless network. Many installations have suffered from administrators failing to take notice of trees, indoor waterfalls, and even the layout and construction materials of the building. Features such as large indoor fountains and even translucent glass walls can be a barrier to proper signal path. Fixing a broken network is much more of a burden than making sure everything is set up properly from the beginning. Before starting, learn as much as you can about the building in which you’re planning to deploy. If the building is concrete with a steel frame, the 802.11 signal will be much more limited than if it were passing through a wood/drywall frame building.When placing the initial 802.11 AP, design from the inside-out. Place the AP toward the center of your user base and take advantage of the fact that the signal will radiate outwards.The goal of this placement is to provide the best quality of signal to your users, while limiting the amount and strength of the signal that passes outside of your walls. Remember, potential attackers will be looking for a signal from your network, and the weaker the signal is when it leaves your premises, the less likely an attacker can safely snoop on your network. Safely, in this case, means that an attacker doesn’t need to worry about being seen in an unusual place with a laptop. For example, an attacker sitting in your lobby with a wireless card is suspicious, but, someone sipping coffee in a coffee shop with their laptop isn’t. Of course, signal strength alone isn’t a security measure, but is part of a whole secure security package you will want to have built into your wireless network. The second physical consideration that should be kept in mind when designing a wireless network is the building floor plan. Using the inside-out method of AP placement, place the AP as far from possible from external windows and doors. If the building layout is a square, with cubicles in all directions, place the AP in the center. If the building is a set of long corridors and rooms, then it will be best to experi- ment with placement.Try putting the APs at different locations, and then scout the location with NetStumbler or other tools to determine where the signal is strongest, and whether or not it can be seen from outside of your facility.We’ll talk more about using NetStumbler and other site evaluation tools a bit later. Another consideration should be your neighbors. In most environments, there will be other companies or businesses operating nearby. Either from the floors above, below, or right next door, your signal may be visible. If you have competitors, this may be something which you wish to avoid, because they will be able to join your network, and potentially exploit it. Close proximity means that an attacker could www.syngress.com 264 Chapter 8 • Monitoring and Intrusion Detection easily and discreetly begin deciphering your wireless encryption keys. Proper place- ment and testing of your APs before deployment can help you gain a better under- standing of your availability to those around you. SECURITY ALERT Remember that good design requires patience and testing. Avoid at all costs the temptation to design around obstacles simply by throwing more APs at the situation, or increasing the signal strength. While pro- viding more signal and availability, this potentially dangerous scenario adds more points of entry to your network, and can increase your chance of compromise. Ruling Out Interference Thought should also be given to whether or not there are external or internal sources of radio interference present in your building. Potential problems can come from microwave ovens, 2.4GHz wireless phones, wireless video security monitors, and other 802.11b wireless networks. If these are present in large numbers in your environment, it may be necessary to do some experimentation with AP placement and settings to see which combination will provide the most available access.We’ll discuss interference in more detail in the next section, but be aware that these devices may create holes, or weaken your range. Having properly identified these sources and potential problems can help you diagnose future problems, and realize that an outage may not necessarily be an attacker but rather a hungry employee warming lunch. Defensive Monitoring Considerations Monitoring wireless networks for intrusion attempts requires attention to some newer details, which many security administrators have not encountered in the past. The use of radio for networking introduces new territory for security administrators to consider. Issues such as signal strength, distortion by buildings and fixtures, inter- ferences from local and remote sources, and the mobility of users are some of these new monitoring challenges not found in the wired world. Any attempt to develop an intrusion detection regime must take into account these new concepts. Security www.syngress.com Monitoring and Intrusion Detection • Chapter 8 265 administrators must make themselves familiar with radio technology and the direct impact the environment will have on networks using these technologies. Security monitoring is something that should be built into your initial wireless installation. Many devices have logging capabilities and these should be fully utilized in order to provide the most comprehensive overall picture possible of what is hap- pening on your network. Firewalls, routers, internal Web servers, Dynamic Host Configuration Protocol (DHCP) servers, and even some wireless APs will provide log files, which should be stored and reviewed frequently. Simply collecting the logs isn’t enough; they should be thoroughly reviewed by security administrators.This is something that should be built into every security procedures guide, but is often overlooked. A firewall log is worthless if it’s never reviewed! Having numerous methods and devices in place to review traffic and usage on your network will pro- vide critical insight into any type of attack, either potential or realized. Availability and Connectivity Obviously the most important things in building and operating a wireless network are availability and connectivity. A wireless network that users cannot connect to, while very secure, is completely useless. Interference, signal strength and denial of service (DoS) attacks can all dramatically affect your availability. In the past, for an attacker to perform a denial of service attack against your internal network, they would have needed to gain access to it, not always a trivial task. Now, however, an attacker with a grudge against your organization needs only to know that a wireless network is present in order to attack.We’ll discuss the possibilities of denial of service attacks later in this section. Even if the network has been designed securely, simply the fact that the net- work is radio-based means these issues must be considered. Interference and Noise Identifying potential sources of interference during the design phase can help you identify potentially malicious sources of interference within your environment once you undertake your monitoring activities. For example, during one wireless deployment, we were experiencing a major denial of service in one group. Users in one group were either unable to connect to the AP at all, or suffered from diminished bandwidth. It was suspected there was a potentially malicious source of activity somewhere, but after reviewing our initial design notes about the installation, we remembered a kitchen near these users. At the time of deployment, there was no known source of interference in the kitchen, but upon investigating further, we discovered the group had just installed a new com- mercial grade, high wattage microwave oven. As you can see, when deploying a wire- www.syngress.com 266 Chapter 8 • Monitoring and Intrusion Detection less network, it’s important to explore all possible solutions of interference before suspecting foul play. If your organization uses noncellular wireless phones, or any other type of wireless devices, be certain you check whether or not they are oper- ating in the 2.4GHz spectrum.While some devices like telephones won’t spark a complete outage, they can cause intermittent problems with connections. Other devices like wireless video monitors can cause serious conflicts, and should be avoided at all costs. Identified potential problems early can be very useful when monitoring for interference and noise in your wireless network environment. It should be noted that some administrators may have few, if any, problems with microwave ovens, phones, or other wireless devices, and tests have been performed on the World Wide Web supporting this. A simple Web search for microwave ovens and 802.11b will give you plenty of information. However, do realize that while some have had few problems, this is no guarantee you will be similarly blessed. Instead, be thorough. Having an idea of potential problems can save you time identi- fying later connectivity issues. As mentioned earlier, knowledge of your neighbors is a good idea when building a wireless network. If you are both running a wireless network with similar settings, you will be competing on the same space with your networks, which is sure to cause interference problems. Given this, it’s best to monitor what your neighbors are doing at all times to avoid such problems. Notice that conflicts of this kind are generally inadvertent. Nevertheless, similar situations can be used to create a denial of service, which we’ll discuss later. Signal Strength From a monitoring standpoint, signal strength is one of the more critical factors to consider. First, it is important to monitor your signal regularly in order to know the extent to which it is available. Multiple APs will require multiple investigations in order to gain a complete picture of what a site looks like externally. Site auditing discovery tools should be used to see how far your signal is traveling. It will travel much farther than most manufacturer claims, so prepare to be surprised. If the signal is adequate for your usage, and you’d like to attempt to limit it, some APs will allow you to fine-tune the signal strength. If your AP supports this feature, experiment with it to provide the best balance between internal and external availability. Whether you can fine-tune your signal strength or not, during initial design you should have noted points externally where the signal was available. Special attention should have been paid to problematic areas, such as cafes, roadways or parking lots. These areas are problematic because it is difficult, or impossible to determine whether or not an attacker is looking at your wireless network specifically.When www.syngress.com Monitoring and Intrusion Detection • Chapter 8 267 [...]... performance-monitoring tools, with diverse prices and levels of functionality Commercially available tools such as Hewlett-Packard’s OpenView have great amounts of market share OpenView can be configured to watch just about any aspect of your network, your servers, bandwidth, and even traffic usage patters It is a very powerful tool that is also customizable and can be made to monitor just about anything imaginable... the company security policy a provision banning any kind of wireless networking The Social Engineer A determined attacker will stop at nothing to compromise a network, and the availability and low cost of wireless networking equipment has made this task slightly easier In this scenario, an attacker who has either taken a position at your company as a nightly custodian or has managed to “social engineer”... new attacks, time is always of the essence New attacks occur daily, and the ability to add your own signature files to your IDS sensor can save you the wait for a vendor to release a new signature file Another thing to keep in mind with signature files is that, if they are written too generically, false alarms will become the norm.The downfall of any IDS system, false alarms can desensitize administrators... intentions, and one placed by an attacker hoping to gain access to a network The Well-intentioned Employee The first situation involves a well-meaning employee.This person has been looking at advertisements at computer shops that feature low cost wireless network equipment, and having just purchased a wireless networking installation for home, wants to bring that convenience to work Believing that having a wireless. .. needed access to your internal network in order to cause a DoS outage Since many wireless installations offer instant access into this network, it can be much easier for an attacker to get in and start shutting things down.There are two main ways an attacker can conduct a DoS against your wireless LAN.The first method would be fairly traditional They would connect to the network, and simply start blasting... the MAC addresses of all your authorized wireless APs Another possibility is that an attacker will enable WEP encryption on their AP, ensuring that only they are able to access it at a later date Attackers often tend to feel very territorial towards their targets A similar scenario to this involves a technique known as social engineering.This generally involves representing oneself as someone else A good... autoresponsive tools, make sure you are careful to set them up in ways that can’t be used against you Watching for Unauthorized Traffic and Protocols As a security or network administrator, it is generally a good idea to continuously monitor the traffic passing over your network It can give you an idea of the network load, and more importantly, you can get an idea of what kinds of protocols are commonly... can be a huge timesaver in big environments A free alternative to NFR is a program called Snort, which is an excellent and freely available tool ( downloadable from www.snort.org) Snort is a powerful and lightweight IDS sensor that also makes a great packet sniffer Using a signature file or rule set (essentially a text file with certain parameters to watch the traffic it is inspecting), it generates alerts... organizations, at others it can cost a tremendous amount of money both in lack of employee productivity and lost customer revenue One only needs to look back at the DoS attacks conducted in February 2000 against several major E-commerce companies to realize the threat from such attacks On an Internet level, this type of attack can be devastating, but at the wireless networking level, they may not be as... spells trouble A custom signature could be defined to look for “by hAx0r,” therefore defeating this type of attack strategy Again, this scenario is a very simplistic example of custom signature writing In reality, there is much more in the way of actual analysis of attacks and attack strings that must be done Simple signatures can be very easy to write or modify, but the more complex the attack, the more . the past, for an attacker to perform a denial of service attack against your internal network, they would have needed to gain access to it, not always a trivial task. Now, however, an attacker. reports in the home network industry, I would sug- gest contacting Parks Associates at www.parksassociates.com.The Continental Automated Buildings Association (CABA) at www.caba.org is another good source. instant access into this network, it can be much easier for an attacker to get in and start shutting things down.There are two main ways an attacker can con- duct a DoS against your wireless LAN.The